Fast, automated static analysis toolkit for malware binary triage. Supports PE, ELF, Mach-O, .NET assemblies, and Office/PDF documents with 33 integrated analysis modules.
╔════════════════════════════════════════════════════════════════════════════╗
║ __ __ _ _____ _ ║
║ | \/ | __ _| |_ ____ _ _ __ ___ |_ _| __(_) __ _ __ _ ___ ║
║ | |\/| |/ _` | \ \ /\ / / _` | '__/ _ \ | || '__| |/ _` |/ _` |/ _ \ ║
║ | | | | (_| | |\ V V / (_| | | | __/ | || | | | (_| | (_| | __/ ║
║ |_| |_|\__,_|_| \_/\_/ \__,_|_| \___| |_||_| |_|\__,_|\__, |\___| ║
║ |___/ ║
║ Fast Malware Binary Triage v1.0 ║
╚════════════════════════════════════════════════════════════════════════════╝
- Multi-format support — PE, ELF, Mach-O, .NET, OLE2/Office, PDF
- 33 analysis modules — from file hashing to behavior prediction
- 14 malware family config extractors — AgentTesla, AsyncRAT, Cobalt Strike, Emotet, FormBook, IcedID, LokiBot, njRAT, DcRAT, QuasarRAT, Raccoon, RedLine, Remcos, WarzoneRAT
- 6 threat intelligence integrations — VirusTotal, MalwareBazaar, ThreatFox, URLhaus, CIRCL Hashlookup, Cert Graveyard
- YARA scanning — local rules + auto-sync from 8 public GitHub rule repositories
- Auto YARA rule generation — creates validated rules when no existing rules match
- Shellcode detection — NOP sleds, stagers, position-independent code, syscall patterns
- Network IOC extraction — URLs, IPs, domains with C2 likelihood scoring
- Behavior prediction engine — weighted multi-signal synthesis across 18 categories
- HTML triage reports — dark-themed, interactive reports with risk scoring
- Interactive TUI — curses-based terminal interface for navigating results
- Batch mode — process entire directories with dashboard and CSV export
- Threat Trading Cards — fun stat cards for samples (ATK/STL/PER/EVA/NET/DES)
- Graceful degradation — works with minimal dependencies, unlocks features as you install more
pip install -r requirements.txt# Option A: Environment variables (recommended)
export VT_API_KEY="your-virustotal-api-key"
export ABUSECH_API_KEY="your-abusech-api-key"
# Option B: Edit the script directly
# Set VT_API_KEY_BAKED and ABUSECH_API_KEY_BAKED near the top of malware_triage.py
# Option C: Pass via CLI
python3 malware_triage.py sample.exe --vt-api-key YOUR_KEY --abusech-api-key YOUR_KEYSee config.example.env for a full template.
| Tool | Purpose | Install |
|---|---|---|
| Mandiant FLOSS | Advanced string extraction (decoded, stack, tight strings) | Download binary from releases |
| Mandiant CAPA | Capability analysis with ATT&CK/MBC mapping | pip install flare-capa or download binary |
| vt-cli | VirusTotal CLI (download, scan, search, relationships) | Download binary from releases |
| ExifTool | Extended metadata extraction | brew install exiftool / apt install libimage-exiftool-perl |
python3 malware_triage.py sample.exe# Basic triage (all local analysis, no API keys needed)
python3 malware_triage.py sample.exe
# Full triage with custom YARA rules
python3 malware_triage.py sample.exe --yara-dir /path/to/yara_rules
# Dump PE resources for offline inspection
python3 malware_triage.py sample.exe --dump-resources ./extracted_resources
# Generate HTML report
python3 malware_triage.py sample.exe -o ./reports
# Fast mode (skip slow operations: FLOSS, VT relationships, CAPA)
python3 malware_triage.py sample.exe --fast
# Offline mode (no network lookups)
python3 malware_triage.py sample.exe --no-vt --no-abusech --no-capa --no-hashlookup --no-certgraveyard
# Interactive TUI mode
python3 malware_triage.py sample.exe --tui
# Batch process a directory
python3 malware_triage.py ./malware_samples/ --batch --batch-csv
# Force auto YARA rule generation
python3 malware_triage.py sample.exe --auto-yara
# Enrich extracted IOCs via VirusTotal
python3 malware_triage.py sample.exe --vt-enrich-iocs
# Sync YARA rules from public GitHub repos before scanning
python3 malware_triage.py sample.exe --sync-rules
# JSON-only output (for piping to other tools)
python3 malware_triage.py sample.exe --json-only# Download a sample by hash
python3 malware_triage.py --vt-download SHA256_HASH --vt-download-dir ./downloads
# Submit a file for scanning
python3 malware_triage.py --vt-scan suspicious_file.exe
# VT Intelligence search
python3 malware_triage.py --vt-search "type:peexe size:100kb+ positives:10+"
# Look up a domain/IP/URL
python3 malware_triage.py --vt-lookup-domain evil.com
python3 malware_triage.py --vt-lookup-ip 192.168.1.1
python3 malware_triage.py --vt-lookup-url "http://evil.com/payload"| Flag | Description |
|---|---|
binary |
Path to binary file (or directory for batch mode) |
-y, --yara-dir |
Custom YARA rules directory |
--sync-rules |
Sync YARA rules from GitHub before scanning |
-k, --vt-api-key |
VirusTotal API key |
-o, --output |
Output directory for reports |
--auto-yara |
Auto-generate YARA rule from analysis |
-r, --dump-resources |
Dump PE resources to disk |
--no-vt |
Skip VirusTotal lookups |
--no-vt-relationships |
Skip VT relationship queries |
--vt-enrich-iocs |
Enrich extracted IOCs via VT |
--vt-download |
Download sample from VT by hash |
--vt-download-dir |
Directory for VT downloads |
--vt-scan |
Submit file to VT for scanning |
--vt-search |
VT Intelligence search query |
--vt-search-limit |
Max results for VT search (default: 20) |
--vt-lookup-url |
Look up a URL on VT |
--vt-lookup-domain |
Look up a domain on VT |
--vt-lookup-ip |
Look up an IP on VT |
--abusech-api-key |
abuse.ch API key |
--no-abusech |
Skip abuse.ch lookups |
--no-urlhaus |
Skip URLhaus lookups |
--capa-rules |
Custom CAPA rules directory |
--no-capa |
Skip CAPA analysis |
--no-hashlookup |
Skip CIRCL Hashlookup |
--no-certgraveyard |
Skip Cert Graveyard lookup |
--update-certgraveyard |
Force-update Cert Graveyard database |
--fast |
Fast mode (skip slow operations) |
--no-strings |
Skip string extraction |
--json-only |
JSON-only output |
--tui |
Launch interactive TUI |
--no-card |
Skip trading card generation |
--batch |
Enable batch mode for directories |
--batch-max-depth |
Max directory recursion depth (default: 3) |
--batch-max-size |
Max file size in MB for batch (default: 100) |
--batch-csv |
Export batch results to CSV |
The tool runs 33 analysis modules in sequence. For detailed documentation on each module, see MODULE_REFERENCE.md.
| # | Module | Description |
|---|---|---|
| 1 | File Metadata & Hashing | MD5, SHA1, SHA256, SSDeep, ImpHash, file type detection, entropy |
| 2 | PE Header Analysis | Sections, imports (risk-flagged), exports, TLS callbacks, debug info |
| 3 | PE Resource Extraction | Resource tree walk, content type detection, entropy, anomaly detection |
| 4 | PE Certificate / Authenticode | Certificate chain parsing, stolen cert database cross-reference |
| 5 | PE Rich Header | XOR decryption, MSVC toolchain fingerprinting, anomaly detection |
| 6 | ELF Binary Analysis | Sections, symbols, security flags (RELRO, NX, PIE, stack canary) |
| 7 | Mach-O Binary Analysis | Load commands, dylibs, codesign info, entitlements |
| 8 | .NET Assembly Analysis | Metadata, type references, P/Invoke calls, obfuscator detection |
| 9 | Document / Maldoc Analysis | VBA macros, PDF JavaScript, suspicious OLE streams, template injection |
| 10 | Packer Detection | Section signatures, entry point stubs, structural analysis |
| 11 | Crypto Detection | Constants (AES S-Box, RSA, etc.), APIs, string patterns |
| 12 | Anti-Analysis Detection | Anti-debug, anti-VM, anti-sandbox techniques with MITRE ATT&CK mapping |
| 13 | String Extraction | Mandiant FLOSS (decoded, stack, tight) with pattern categorization |
| 14 | Network IOC Extraction | URLs, IPs, domains, emails, C2 likelihood scoring |
| 15 | Behavior Prediction Engine | Multi-signal synthesis across 18 behavioral categories |
| 16 | Config Extractor | Deep extraction for 14 malware families |
| 17 | Shellcode Scanner | NOP sleds, stagers, PIC detection, syscall patterns |
| 18 | Threat Trading Card | Fun stat card with ATK/STL/PER/EVA/NET/DES scores |
| 19 | YARA Rule Scanning | Recursive scan against local rule sets |
| 20 | Auto YARA Rule Generation | Creates validated rules from EP bytes, unique strings, hex patterns |
| 21 | VirusTotal API | Detection score, threat labels, sandbox verdicts, ATT&CK mapping |
| 22 | VT-CLI Sandbox Relationships | Network activity, dropped files, contacted domains, threat actors |
| 23 | VT-CLI IOC Enrichment | Domain/IP/URL reputation via vt-cli |
| 24 | VT-CLI Standalone Ops | Download, scan, search, lookup |
| 25 | MalwareBazaar Lookup | abuse.ch malware sample database |
| 26 | ThreatFox IOC Lookup | abuse.ch IOC database |
| 27 | URLhaus Lookup | abuse.ch malware URL database |
| 28 | CAPA Capability Analysis | ATT&CK technique mapping, MBC behaviors |
| 29 | CIRCL Hashlookup | NSRL known-good software identification |
| 30 | Cert Graveyard | Certificate abuse database cross-reference |
| 31 | HTML Triage Report | Dark-themed, interactive report with risk scoring |
| 32 | Interactive TUI | Curses-based terminal interface |
| 33 | Batch Mode + Dashboard | Directory processing with HTML dashboard and CSV export |
Place .yar / .yara files in the rules directory (default: ./yara_rules). Subdirectories are scanned recursively.
yara_rules/
├── apt/
│ ├── scattered_spider.yar
│ └── lazarus.yar
├── ransomware/
│ ├── lockbit.yar
│ └── blackcat.yar
└── custom/
└── my_rules.yar
Use --sync-rules to automatically download YARA rules from 8 curated GitHub sources:
- YARA-Rules Project
- Elastic Protections Artifacts
- ReversingLabs YARA Rules
- Google GCTI
- Malpedia Signator Rules
- The DFIR Report
- Neo23x0 Signature Base
- ThreatHunting Keywords
malware_triage/
├── malware_triage.py # Main script (all 33 modules)
├── requirements.txt # Python dependencies
├── config.example.env # API key configuration template
├── MODULE_REFERENCE.md # Detailed module documentation
├── LICENSE # MIT License
├── .gitignore # Git ignore rules
├── yara_rules/ # YARA rule sets (add your own)
│ └── ...
├── triage_reports/ # Generated HTML reports (gitignored)
│ └── ...
└── sample/ # Your malware samples (gitignored)
└── ...
- Python 3.8+
- See requirements.txt for Python packages
- All dependencies are optional — the tool degrades gracefully
| Service | Free? | Registration |
|---|---|---|
| VirusTotal | Free tier available (Enterprise recommended) | virustotal.com |
| abuse.ch | Free | auth.abuse.ch |
| CIRCL Hashlookup | Free, no key needed | hashlookup.circl.lu |
| Cert Graveyard | Free, no key needed | certgraveyard.org |
Renzon Cruz (@r3nzsec)
This project is licensed under the MIT License — see the LICENSE file for details.